Prisoners of their own device: Trojan attacks on device-independent quantum 

cryptography 
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Device-independent quantum cryptographic schemes aim to guarantee security to users based 
only on the output statistics of any components used, and without the need to verify their internal 
functionality. Since this would protect users against untrustworthy or incompetent manufacturers, 
sabotage or device degradation, this idea has excited much interest, and many device-independent 
schemes have been proposed. Here we identify a critical weakness of device-independent protocols 
that rely on public communication between secure laboratories. Untrusted devices may record their 
inputs and outputs and reveal information about them via publicly discussed outputs during later 
runs. Reusing devices thus compromises the security of a protocol and risks leaking secret data. 
Possible defences include securely destroying or isolating used devices. However, these are costly 
and often impractical. We propose other more practical partial defences as well as a new protocol 
structure for device-independent quantum key distribution that aims to achieve composable security 
in the case of two parties using a small number of devices to repeatedly share keys with each another 
(and no other party). 



Quantum cryptography aims to exploit the properties 
of quantum systems to ensure the security of various 
tasks. The best known example is quantum key distri- 
bution (QKD), which can enable two parties to share a 
secret random string and thus exchange messages secure 
against eavesdropping, and we mostly focus on this task 
for concreteness. While all classical key distribution pro- 
tocols rely for their security on assumed limitations on 
an eavesdropper's computational power, the advantage 
of quantum key distribution protocols (e.g. [H, 0) is that 
they are provably secure against an arbitrarily powerful 
eavesdropper, even in the presence of realistic levels of 
losses and errors jH. However, the security proofs require 
that quantum devices function according to particular 
specifications. Any deviation - which might arise from a 
malicious or incompetent manufacturer, or through sab- 
otage or degradation - can introduce exploitable security 
flaws (see e.g. [J] for practical illustrations). 

The possibility of quantum devices with deliberately 
concealed flaws, introduced by an untrustworthy man- 
ufacturer or saboteur, is particularly concerning, since 
(i) it is easy to design quantum devices that appear to 
be following a secure protocol but are actually completely 
insecure 1 , and (ii) there is no general technique for iden- 
tifying all possible security loopholes in standard quan- 
tum cryptography devices. This has led to much interest 
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1 In BB84 [J, for example, a malicious state creation device could 

be programmed to secretly send the basis used for the encoding 

in an additional degree of freedom. 



in device- independent quantum protocols, which aim to 
guarantee security on the fly by testing the device out- 
puts [5WT5I]: no specification of their internal functional- 
ity is required. 

Known provably secure schemes for device- 
independent quantum key distribution are inefficient, 
as they require either independent isolated devices 
for each entangled pair to ensure device- independent 
security @, MM, G3], 

or a large number of entangled 
pairs to generate a short key [f| [H, Finding 
an efficient secure device-independent quantum key 
distribution scheme using two (or few) devices has 
remained an open theoretical challenge. Nonetheless, 
in the absence of tight theoretical bounds on the scope 
for device- independent quantum cryptography, progress 
to date has encouraged optimism (e.g. about the 

prospects for device-independent QKD as a practical 
technology, as well as for device-independent quantum 
randomness expansion [13H15! and other applications of 
device- independent quantum cryptography (e.g. [Hj]). 

However, one key question has been generally ne- 
glected in work to date on device-independent quantum 
cryptography, namely what happens if and when devices 
are reused. Specifically, are device-reusing protocols com- 
posable - i.e. do individually secure protocols of this type 
remain secure when combined? It is clear that reuse of 
untrusted devices cannot be universally composable, i.e. 
such devices cannot be securely reused for completely 
general purposes (in particular, if they have memory, 
they must be kept secure after the protocol). However, 
for device- independent quantum cryptography to have 
significant practical value, one would hope that devices 
can at least be reused for the same purpose. For ex- 
ample one would like to be able to implement a QKD 
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protocol many times, perhaps with different parties each 
time, with a guarantee that all the generated keys can 
be securely used in an arbitrary environment so long as 
the devices are kept secure. We focus on this type of 
composability here. 

We describe a new type of attack that highlights pit- 
falls in producing protocols that are composable (in 
the above sense) with device- independent security for 
reusable devices, and show that for all known protocols 
such composability fails in the strong sense that purport- 
edly secret data become completely insecure. The leaks 
do not exploit new side channels (which proficient users 
are assumed to block), but instead occur through the 
device choosing its outputs as part of a later protocol. 

To illustrate this, consider a device-independent 
scheme that allows two users (Alice and Bob) to gen- 
erate and share a purportedly secure cryptographic key. 
A malicious manufacturer (Eve) can design devices so 
that they record and store all their inputs and outputs. 
A well designed device-independent protocol can prevent 
the devices from leaking information about the generated 
key during that protocol. However, when they are reused, 
the devices can make their outputs in later runs depend 
on the inputs and outputs of earlier runs, and, if the pro- 
tocol requires Alice and Bob to publicly exchange at least 
some information about these later outputs (as all exist- 
ing protocols do), this can leak information about the 
original key to Eve. Moreover, in many existing proto- 
cols, such leaks can be surreptitiously hidden in the noise, 
hence allowing the devices to operate indefinitely like hid- 
den spies, apparently complying with security tests, and 
producing only data in the form the protocols require, 
but nonetheless actually eventually leaking all the pur- 
portedly secure data. 

We stress that our results certainly do not imply that 
quantum key distribution per se is insecure or impracti- 
cal. In particular, our attacks do not apply to standard 
QKD protocols in which the devices' properties are fully 
trusted, nor if the devices are trusted to be memoryless 
(but otherwise untrusted), nor necessarily to protocols 
relying on some other type of partially trusted devices. 
Our target is the possibility of (full) device-independent 
quantum cryptographic security, applicable to users who 
purchase devices from a potentially sophisticated adver- 
sarial supplier and rely on no assumption about the de- 
vices' internal workings. 

The attacks we present raise new issues of composabil- 
ity and point towards the need for new protocol designs. 
We discuss some countermeasures to our attacks that ap- 
pear effective in the restricted but relevant scenario where 
two users only ever use their devices for QKD exchanges 
with one another, and propose a new type of protocol 
that aims to achieve security in this scenario while al- 
lowing device reuse. Even with these countermeasures, 
however, we show that security of a key generated with 
Bob can be compromised if Alice uses the same device for 
key generation with an additional party. This appears to 
be a generic problem against which we see no complete 



defence. 

Although we focus on device-independent QKD for 
most of this work, our attacks also apply to other device- 
independent quantum cryptographic tasks. The case of 
randomness expansion is detailed in Appendix [El 

Cryptographic scenario. — We use the standard crypto- 
graphic scenario for key distribution between Alice and 
Bob, each of whom has a secure laboratory. These labo- 
ratories may be partitioned into secure sub-laboratories, 
and we assume Alice and Bob can prevent communica- 
tion between their sub-laboratories as well as between 
their labs and the outside world, except as authorized by 
the protocol. The setup of these laboratories is as follows. 
Each party has a trusted private random string, a trusted 
classical computer and access to two channels connecting 
them. The first channel is an insecure quantum channel. 
Any data sent down this can be intercepted and modi- 
fied by Eve, who is assumed to know the protocol. The 
second is an authenticated classical channel which Eve 
can listen to but cannot impersonate; in efficient QKD 
protocols this is typically implemented by using some 
key bits to authenticate communications over a public 
channel. Each party also uses a sub-laboratory to isolate 
each of the untrusted devices being used for today's pro- 
tocol. They can connect them to the insecure quantum 
channel, as desired, and this connection can be closed 
thereafter. They can also interact with each device clas- 
sically, supplying inputs (chosen using the trusted private 
string) and receiving outputs, without any other informa- 
tion flowing into or out of the secure sub-laboratory. 

As mentioned before, existing device-independent 
QKD protocols that have been proven unconditionally 
secure [f| [I]], Ell require separate devices for each mea- 
surement performed by Alice and Bob with no possibility 
of signalling between these devices 2 , or are inefficient [17| 
(in terms of the amount of key per entangled pair). For 
practical device-independent QKD, we would like to re- 
move both of these disadvantages and have an efficient 
scheme needing a small number of devices. 

Since the protocols in [ll|, [l2| can tolerate reasonable 
levels of noise and are reasonably efficient, we look first 
at implementations of protocols taking the form of those 
in [ll|, [l2| , except that Alice and Bob use one measure- 
ment device each, i.e., Alice (Bob) uses the same de- 
vice to perform each of her (his) measurements. We call 
these two-device protocols (Bob also has a separate iso- 
lated source device: see below). The memory of a device 
can then act as a signal from earlier to later measure- 
ments, hence the security proofs of [III E3 do not apply 
(see also [2(| where a different two-device setup is dis- 
cussed) . It is an open question whether a secure key can 
be efficiently generated by a protocol of this type in this 
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1. Entangled quantum states used in the protocol are gen- 
erated by a device Bob holds (which is separate and 
kept isolated from his measurement device) and then 
shared over an insecure quantum channel with Alice's 
device. Bob feeds his half of each state to his measure- 
ment device. Once the states are received, the quantum 
channel is closed. 

2. Alice and Bob each pick a random input At and Bi to 
their device, ensuring they receive an output bit (X; 
and Yi respectively) before making the next input (so 
that the i-th output cannot depend on future inputs). 
They repeat this M times. 

3. Either Alice or Bob (or both) publicly announces their 
measurement choices, and the relevant party checks 
that they had a sufficient number of suitable input com- 
binations for the protocol. If not, they abort. 

4. (Sifting.) Some output pairs may be discarded accord- 
ing to some public protocol. 

5. (Parameter estimation.) Alice randomly and indepen- 
dently decides whether to announce each remaining bit 
to Bob, doing so with probability n (where M[i 3> 1). 
Bob uses the communicated bits and his corresponding 
outputs to compute some test function, and aborts if it 

lies outside a desired range. (For example, Bob might 

compute the CHSH value [21[ of the announced data, 
and abort if it is below 2.5.) 

6. (Error correction.) Alice and Bob perform error cor- 
rection using public discussion, in order to (with high 
probability) generate identical strings. Eve learns the 
error correction function Alice applies to her string. 

7. (Privacy amplification.) Alice and Bob publicly per- 
form privacy amplification [22|, producing a shorter 
shared string about which Eve has virtually no infor- 
mation. Eve similarly learns the privacy amplification 
function they apply to their error-corrected strings. 

TABLE I: Generic structure of the protocols we con- 
sider. Although this structure is potentially restrictive, most 
protocols to date are of this form (we discuss modifications 
later). Note that we do not need to specify the precise sub- 
protocols used for error correction or privacy amplification. 
For an additional remark, see Part I of the Appendix 

scenario. Here we demonstrate that, even if a key can be 
securely generated, repeat implementations of the proto- 
col using the same devices can render an earlier generated 
key insecure. 

Attacks on two-device protocols. — Consider a QKD pro- 
tocol with the standard structure shown in Table Q] We 
imagine a scenario in which a protocol of this type is 
run on day 1, generating a secure key for Alice and Bob, 
while informing Eve of the functions used by Alice for er- 
ror correction and privacy amplification (for simplicity we 
assume the protocol has no sifting procedure (Step 2}). 
The protocol is then rerun on day 2, to generate a second 
key, using the same devices. Eve can instruct the devices 
to proceed as follows. On day 1, they follow the protocol 
honestly. However, they keep hidden records of all the 



raw bits they generate during the protocol. At the end 
of day 1 , Eve knows the error correction and privacy am- 
plification functions used by Alice and Bob to generate 
the secure key. 

On day 2, since Eve has access to the insecure quan- 
tum channel over which the new quantum states are dis- 
tributed, she can surreptitiously modulate these quan- 
tum states to carry new classical instructions to the de- 
vice in Alice's lab, for example using additional degrees of 
freedom in the states. These instructions tell the device 
the error correction and privacy amplification functions 
used on day 1 , allowing it to compute the secret key gen- 
erated on day 1. They also tell the device to deviate 
from the honest protocol for randomly selected inputs, 
by producing as outputs specified bits from this secret 
key. (For example, "for input 17, give day l's key bit 5 
as output".) If any of these selected outputs are among 
those announced in Step [5j Eve learns the corresponding 
bits of day l's secret key. We call this type of attack, in 
which Eve attempts to gain information from the classical 
messages sent in Step [5j a parameter estimation attack. 

If she follows this cheating strategy for iV/i -1 < M in- 
put bits, Eve is likely to learn roughly N bits of day l's 
secret key. Moreover, only the roughly N output pairs 
from this set that are publicly compared give Alice and 
Bob statistical information about Eve's cheating. Alice 
and Bob cannot a priori identify these cheating output 
pairs among the rs fiM they compare. Thus, if the tolera- 
ble noise level is comparable to A^ -1 M -1 , Eve can (with 
high probability) mask her cheating as noise. (Note that 
in unconditional security proofs it is generally assumed 
that eavesdropping is the cause of all noise. Even if in 
practice Eve cannot reduce the noise to zero, she can 
supply less noisy components than she claims and use 
the extra tolerable noise to cheat). 

In addition, Alice and Bob's devices each separately 
have the power to cause the protocol to abort on any 
day of their choice. Thus - if she is willing to wait long 
enough - Eve can program them to communicate some 
or all information about their day 1 key, for instance 
by encoding the relevant bits as a binary integer N = 
bi . . . b m and choosing to abort on day (N + 2) 3 . We call 
this type of attack an abort attack. Note that it cannot 
be detected until it is too late. 

As mentioned above, some well known protocols use 
many independent and isolated measurement devices. 
These protocols are also vulnerable to memory attacks, 
as explained in Appendix |DJ 

Modified protocols. — We now discuss ways in which these 



3 In practice, Eve might infer a day (JV+2) abort from the fact that 
Alice and Bob have no secret key available on day (TV + 2), which 
in many scenarios might detectably affect their behaviour then 
or subsequently. Note too that she might alternatively program 
the devices to abort on every day from (N + 2) onwards if this 
made N more easily inferable in practice. 
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attacks can be partly defended against. 

Countermeasure 1. — All quantum data and all public 
communication of output data in the protocol come from 
one party, say Bob. Thus, the entangled states used in 
the protocol are generated by a separate isolated device 
held by Bob (as in the protocol in Table 1) and Bob 
(rather than Alice) sends selected output data over a 
public channel in Step [5] If Bob's device is forever kept 
isolated from incoming communication, Eve has no way 
of sending it instructions to calculate and leak secret key 
bits from day 1 (or any later day). 

Existing protocols modified in this way are still inse- 
cure if reused, however. For example, in a modified pa- 
rameter estimation attack, Eve can pre-program Bob's 
device to leak raw key data from day 1 via output data 
on subsequent days, at a low enough rate (compared to 
the background noise level) that this cheating is unlikely 
to be detected. If the actual noise level is lower than the 
level tolerated in the protocol, and Eve knows both (a 
possibility Alice and Bob must allow for), she can thereby 
eventually obtain all Bob's raw key data from day 1, and 
hence the secret key. 

In addition, Eve can still communicate with Alice's 
device, and Alice needs to be able to make some public 
communication to Bob, if only to abort the protocol. Eve 
can thus obtain secret key bits from day 1 on a later day 
using an abort attack. 

Countermeasure 2. \2a] — Encrypt the parameter estima- 
tion information sent in Step [5] with some initial pre- 
shared seed randomness. Provided the seed required 
is small compared to the size of final string gene rated 
(which is the case in efficient QKD protocols [H El), 
the protocol then performs key expansion 4 . Furthermore, 
even if they have insufficient initial shared key to en- 
crypt the parameter estimation information, Alice and 
Bob could communicate the parameter estimation infor- 
mation unencrypted on day 1, but encrypt it on subse- 
quent days using generated key. 

Note that this countermeasure is not effective against 
abort attacks, which can now be used to convey all or 
part of their day 1 raw key. This type of attack seems 
unavoidable in any standard cryptographic model requir- 
ing composability and allowing arbitrarily many device 
reuses if either Alice or Bob has only a single measure- 
ment device. 

This countermeasure is also not effective in gen- 
eral cryptographic environments involving communica- 
tion with multiple users who may not all be trustwor- 
thy. Suppose that Alice wants to share key with Bob on 
day 1, but with Charlie on day 2. If Charlie becomes 
corrupted by Eve, then, for example by hiding data in 
the parameter estimation, Eve can learn about day l's 



4 QKD is often referred to as quantum key expansion in any case, 
taking into account that a common method of authenticating the 
classical channel uses pre-shared randomness. 



key (we call this an impostor attack). This attack ap- 
plies in many scenarios in which users might wish to use 
device- independent QKD. For example, suppose Alice is 
a merchant and Bob is a customer who needs to com- 
municate his credit card number to Alice via QKD to 
complete the sale. The next day, Eve can pose as a cus- 
tomer, carry out her own QKD exchange with Alice, and 
extract information about Bob's card number without 
being detected. 

Countermeasure 3. — Alternative protocols using addi- 
tional measurement devices. Suppose Alice and Bob 
each have m measurement devices, for some small integer 
m > 2. They perform Steps [THB] of a protocol that takes 
the form given in Table U but with Countermeasures 1 
and 2 applied. They repeat these steps for each of their 
devices in turn, ensuring no communication between any 
of them (i.e., they place each in its own sub-laboratory). 
This yields m error-corrected strings. Alice and Bob con- 
catenate their strings before performing privacy amplifi- 
cation as in Step [7] However, they further shorten the 
final string such that it would (with near certainty) re- 
main secure if one of the m error-corrected strings were 
to become known to Eve through an abort attack. (See 
Table 2, and Appendix [Cl for more details). 

This countermeasure doesn't avoid impostor attacks. 
Instead, the idea is to prevent useful abort attacks (as 
well as parameter estimation attacks due to Counter- 
measure 2), and hence give us a secure and composable 
protocol, provided the keys produced on successive days 
are always between the same two users. The information 
each device has about day l's key is limited to the raw 
key it produced. Thus, if each device is programmed to 
abort on a particular day that encodes their day 1 raw 
key, after an abort, Eve knows one of the devices' raw 
keys and has some information on the others (since she 
can exclude certain possibilities based on the lack of abort 
by those devices so far). After an abort, Alice and Bob 
should cease to use any of their devices unless and until 
such time that they no longer require that their keys re- 
main secret. Intuitively, provided the set of m keys was 
sufficiently shortened in the privacy amplification step, 
Eve has essentially no information about the day 1 se- 
cret key, which thus (we conjecture) remains secure. 

Countermeasure 4- — Alice and Bob share a small initial 
secret key and use part of it to choose the privacy am- 
plification function in Step [7J of the protocol, which may 
then never become known to Eve. 

Even in this case, Eve can pre-program Bob's measure- 
ment device to leak raw data from day 1 on subsequent 
days, either via a parameter estimation attack or via an 
abort attack. While Eve cannot obtain bits of the se- 
cret key so directly in this case, provided the protocol 
is composed sufficiently many times, she can eventually 
obtain all the raw key. This means that Alice and Bob's 
residual security ultimately derives only from the initial 
shared secret key: their QKD protocol produces no extra 
permanently secure data. 
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In summary, we have shown how a malicious man- 
ufacturer who wishes to mislead users or obtain data 
from them can equip devices with a memory and use 
it in programming them. The full scope of this threat 
seems to have been overlooked in the literature on device- 
independent quantum cryptography to date. A task is 
potentially vulnerable to our attacks if it involves secret 
data generated by devices and if Eve can learn some func- 
tion of the device outputs in a subsequent protocol. Since 
even causing a protocol to abort communicates some in- 
formation to Eve, the class of tasks potentially affected is 
large indeed. In particular, for one of the most important 
applications, QKD, none of the protocols so far proposed 
remain composably secure in the case that the devices 
are supplied by a malicious adversary. 

One can think of the problems our attacks raise as 
a new issue of cryptographic composability. One way 
of thinking of standard composability is that a secure 
output from a protocol must still have all the proper- 
ties of an ideal secure output when combined with other 
outputs from the same or other protocols. The device- 
independent key distribution protocols we have examined 
fail this test because the reuse of devices can cause later 
outputs to depend on earlier ones. In a sense, the un- 
derlying problem is that the usage of devices is not com- 
posably secure. This applies too, of course, for devices 
used in different protocols: devices used for secure ran- 
domness expansion cannot then securely be used for key 
distribution without potentially compromising the gen- 
erated randomness, for example. 

It is worth reiterating that our attacks do not apply 
against protocols where the devices are trusted to be 
memoryless. Indeed, there are schemes that are com- 
posably secure for memoryless devices [TJ, [l2[ . We also 
stress that our attacks do not apply to all protocols for 
device- independent quantum tasks related to cryptogra- 
phy. For example, even devices with memories cannot 
mimic nonlocal correlations in the absence of shared en- 
tanglement [24], HH- In addition, in applications that 
require only short-lived secrets, devices may be reused 
once such secrets are no longer required. Partially se- 
cure device- independent protocols for bit commitment 
and coin tossing [l9j |. in which the committer supplies 
devices to the recipient, are also immune from our at- 
tacks, so long as the only data entering the devices come 
from the committer. 

Note too that, in practice the number of uses required 
to apply the attacks may be very large, for example, in 
the case of some of the abort attacks we described. One 
can imagine a scenario in which Alice and Bob want to 
carry out device-independent QKD no more than n times 
for some fixed number n, each is confident in the other's 
trustworthiness throughout, the devices are used for no 
other purpose and are destroyed after n rounds, and key 
generation is suspended and the devices destroyed if a 
single abort occurs. If the only relevant information con- 



veyed to Eve is that an abort occurs on one of the n days, 
she can only learn at most log n bits of information about 
the raw key via an abort attack. Hence one idea is that, 
using suitable additional privacy amplification, Alice and 
Bob could produce a device-independent protocol using 
two measurement devices that is provably secure when 
restricted to no more than n bilateral uses. It would be 
interesting to analyse this possibility, which, along with 
the protocol presented in Table 2, leads us to hold out 
the hope of useful security for fully device- independent 
QKD, albeit in restricted scenarios. 

We have also discussed some possible defences and 
countermeasures against our attacks. A theoretically 
simple one is to dispose of - i.e. securely destroy or isolate 
- untrusted devices after a single use (see Appendix [Bj . 
While this would restore universal composability, it is 
clearly costly and would severely limit the practicality 
of device-independent quantum cryptography. Another 
interesting possibility is to design protocols for compos- 
able device-independent QKD guaranteed secure in more 
restricted scenarios. However, the impostor attacks de- 
scribed above appear to exclude the possibility of com- 
posably secure device-independent QKD when the de- 
vices are used to exchange key with several parties. 

Many interesting questions remain open. Nonetheless, 
the attacks we have described merit a serious reappraisal 
of current protocol designs and, in our view, of the prac- 
tical scope of universally composable quantum cryptog- 
raphy using completely untrusted devices. 

Added Remark: Since the first version of this paper, 
there has been new work in this area that, in part, ex- 
plores countermeasure 2 in more detail [26[ . In addition, 
two new works on device-independent QKD with only 
two devices have appeared [13, [H[ . Note that these do 
not evade the attacks we present, but apply to the sce- 
nario where used devices are discarded. 
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Appendix A: Separation of sources and 
measurement devices 



We add here one important comment about the gen- 
eral structure of the generic protocol given in Table 1 of 
the main text. There it was crucial that in Step 1, in the 



7 



case where Bob (rather than Eve) supplies the states, he 
does so using a device that is isolated from his measure- 
ment device. If, on the other hand, Bob had only a single 
device that both supplies states and performs measure- 
ments, then his device can hide information about day l's 
raw key in the states he sends on day 2. (This can be 
done using states of the form specified in the protocol, 
masking the errors as noise as above. Alternatively, the 
data could be encoded in the timings of the signals or in 
quantum degrees of freedom not used in the protocol.) 



Appendix B: Toxic device disposal 

As noted in the main text, standard cryptographic 
models postulate that the parties can create secure 
laboratories, within which all operations are shielded 
from eavesdropping. Device-independent quantum cryp- 
tographic models also necessarily assume that devices 
within these laboratories cannot signal to the outside 
- otherwise security is clearly impossible. Multi-device 
protocols assume that the laboratories can be divided 
into effectively isolated sub-laboratories, and that de- 
vices in separate sub-laboratories cannot communicate. 
In other words, Alice and Bob must be able to build ar- 
bitrary configurations of screening walls, which prevent 
communication among Eve and any of her devices, and 
allow only communications specified by Alice and Bob. 

Given this, there is no problem in principle in defining 
protocols which prescribe that devices must be perma- 
nently isolated: the devices simply need to be left indef- 
initely in a screened sub-laboratory. While this could be 
detached from the main working laboratory, it must be 
protected indefinitely: screening wall material and secure 
space thus become consumed resources. And indeed in 
some situations, it may be more efficient to isolate de- 
vices, rather than securely destroy them, since devices 
can be reused once the secrets they know have become 
public by other means. For example, one may wish to 
securely communicate the result of an election before an- 
nouncing it, but once it is public, the devices used for 
this secure communication could be safely reused. 

The alternative, securely destroying devices and then 
eliminating them from the laboratory, preserves labora- 
tory space but raises new security issues: consider, for ex- 
ample, the problems in disposing of a device programmed 
to change its chemical composition depending on its out- 
put bit. 

That said, no doubt there are pretty secure ways of 
destroying devices, and no doubt devices could be se- 
curely isolated for long periods. However, the costs and 
problems involved, together with the costs of renewing 
devices, make us query whether these are really viable 
paths for practical device-independent quantum cryptog- 
raphy. 



Appendix C: Privacy Amplification 

Here we briefly outline the important features of pri- 
vacy amplification, which is a key step in the protocol. As 
explained in the main text, the idea is to compress the 
string such that (with high probability) an eavesdrop- 
per's knowledge is reduced to nearly zero. This usually 
works as follows. Suppose Alice and Bob share some ran- 
dom string, X, which may be correlated with a quantum 
system, E, held by the eavesdropper. Alice also holds 
some private randomness, R. The state held by Alice 
and Eve then takes the form 



Pxre 



Px{x)P R {r)\x){x\ x ® \r)(r\ R <g> p%, 



where {p E } x are normalized density operators, and 
Pair) — 1/1 -ft I- The randomness R is used to choose 
a function fji 6 J 7 , where T is some suitably chosen 
set, to apply to X such that, even if she learns R, the 
eavesdropper's knowledge about the final string is close 
to zero. If we call the final string S = fa(X), then Eve 
has no knowledge about it if the final state takes the form 
Ts CE> Pre, where ts is maximally mixed on S. However, 
we cannot usually attain such a state, and instead mea- 
sure the success of a protocol by its variation from this 
ideal, measured using the trace distance, D. Denoting 
the final state (after applying the function) by psre , we 
are interested in D(psre, t$ ® Pre)- 

Fortunately, several sets of function are known for 
which the above distance can be made arbitrarily small. 
Two common constructions are those based on two- 
universal hash functions (3l. I29M3H and Trevisan's extrac- 
tor [H, 33] . The precise details of these is not very impor- 
tant for the present work (we refer the interested reader 
to the references), nor is it important which we choose. 
However, it is worth noting that for two-universal hash 
functions, the size of the seed needs to be roughly equal 
to that of the final string, while for Trevisan's extrac- 
tor, this can be reduced to roughly the logarithm of the 
length of the initial string (in the latter case, this may 
allow it to be sent privately, if desired). 

For both, the amount that the string should be com- 
pressed is quantified by the smooth conditional min- 
entropy, which we now define. For a state pab , the non- 
smooth conditional min-entropy is defined as 



H min {A\B) 



maxsup{A G 

0"B 



2 X 1 A ® o B > pab}, 



in terms of which the smooth min entropy is given by 
H E min {A\B) p := mnxH min (A\B)p. 

PAB 

The maximization over p is over a set of states that are 
close to pab according to some distance measure (see, 
for example, 34j for a discussion). 

The significance for privacy amplification can be seen 
as follows. In [3[, it is shown that if / is chosen randomly 
from a set of two-universal hash functions, and applied 
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1. Entangled quantum states used in the protocol are gen- 
erated by a device Bob holds (which is separate and 
kept isolated from his measurement devices) and then 
shared over an insecure quantum channel with Alice's 
first device. Bob feeds his half of each state to his first 
measurement device. Once the states are received, the 
quantum channel is closed. 

2. Alice and Bob each pick a random input Ai and Bi 
to their first device, ensuring they receive an output 
bit (Xi and Yi respectively) before making the next 
input (so that the i-th output cannot depend on future 
inputs). They repeat this M times. 

3. Bob publicly announces his measurement choices, and 
Alice checks that for a sufficient number of suitable in- 
put combinations for the protocol. If not, Alice aborts. 

4. (Sifting.) Some output pairs may be discarded accord- 
ing to some protocol. 

5. (Parameter estimation.) Alice and Bob use their pre- 
shared key to randomly select some output pairs (they 
select only a small fraction, hence the amount of key 
required for this is small). For each of the selected 
pairs, Bob encrypts his output and sends it to Alice. 
Alice uses the communicated bits and her correspond- 
ing outputs to compute some test function, and aborts 
if it lies outside a desired range. 

6. (Error correction.) Alice and Bob perform error cor- 
rection using public discussion, in order to (with high 
probability) generate identical strings. Eve learns the 
error correction function Alice applies to her string. 

7. Alice and Bob repeat Steps [T}{5] for each of their 
m devices (ensuring the devices cannot communicate 
throughout) 

8. (Privacy amplification.) Alice and Bob concatenate 
their m strings and publicly perform privacy ampli- 
fication [2^], producing a shorter shared string about 
which Eve has virtually no information. In this step, 
the size of their final string is chosen such that (with 
high probability) it will remain secure even if one of 
the raw strings or its error corrected version becomes 
known. 

TABLE 2: Structure of the protocol from the main 
text with modifications as in Countermeasure 3. For 

this protocol Alice and Bob each have m > 2 measurement 
devices, and Bob has one device for creating states. They are 
all kept isolated from one another. 



to the raw string X, as above, then for \S | = 2* and any 

e > 0, 

D(psre,t s ® pre) < e + h.-^ He ^\m-t) _ 

(An analogous statement can be made for Trevisan's ex- 
tractor |3J|.) Thus, if Alice compresses her string to 
length t = H^ nin (X\E) — £, then the final state after ap- 
plying the hash function has distance e + \'2r i l 2 to a 
state about which Eve has no knowledge. 

Turning to the QKD protocol in Table 1 of the main 



text, in the case of hashing the privacy amplification pro- 
cedure consists of Alice selecting t depending on the test 
function computed in the parameter estimation step. She 
then uses local randomness to choose a hash function to 
apply to her string, and announces this to Bob, who ap- 
plies the same function to his string (since we have al- 
ready performed error correction, this string should be 
identical to Alice's). The idea is that, if t is chosen ap- 
propriately, it is virtually impossible that the parameter 
estimation tests pass and the final state at the end of 
the protocol is not close to one for which Eve has no 
knowledge about the final string. 

In the modified protocol in Table 2, we expect each 
pair of devices to contribute roughly the same amount of 
smooth min entropy to the concatenated string. Thus, 
since there are m devices, in order to tolerate the po- 
tential revelation of one of the error-corrected strings 
through an abort attack, Alice should choose t to be 
roughly (m — l)/m shorter than she would otherwise. 



Appendix D: Memory attacks on multi-device QKD 
protocols 

To illustrate further the generality of our attacks, we 
now turn to multi-device protocols, and show how to 
break iterated versions of two well known protocols. 



Attacks on compositions of the BHK protocol 

The Barrett-Hardy-Kent (BHK) protocol Q requires 
Alice and Bob to share MN 2 pairs of systems (where 
M and N are both large with M -C N), in such a 
way that no measurements on any subset can effectively 
signal to the others. In a device-independent scenario, 
we can think of these as black box devices supplied by 
Eve, containing states also supplied by Eve. Each de- 
vice is isolated within its own sub-laboratory of Alice's 
and Bob's, so that Alice and Bob have MN 2 secure sub- 
laboratories each. The devices accept integer inputs in 
the range {0, . . . , N — 1} and produce integer outputs in 
the range {0, 1}. Alice and Bob choose random indepen- 
dent inputs, which they make public after obtaining all 
the outputs. They also publicly compare all their outputs 
except for those corresponding to one pair randomly cho- 
sen from among those in which the inputs differ by ±1 
or modulo N. If the publicly declared outputs agree 
with quantum statistics for specified measurement basis 
choices (corresponding to the inputs) on a singlet state, 
then they accept the protocol as secure, and take the 
final undeclared outputs (which are almost certainly an- 
ticorrelated) to define their shared secret bit. 

The BHK protocol produces (with high probability) 
precisely one secret bit: evidently, it is extremely inef- 
ficient in terms of the number of devices required. It 
also requires essentially noise-free channels and error- 
free measurements. Despite these impracticalities it il- 
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lustrates our theoretical point well. Suppose that Alice 
and Bob successfully complete a run of the BHK protocol 
and then (unauthorised by BHK) decide to use the same 
2MN 2 devices to generate a second secret bit, and ask 
Eve to supply a second batch of states to allow them to 
do this. 

Eve — aware in advance that the devices may be 
reused — can design them to function as follows. In 
the first run of the protocol, she supplies a singlet pair 
to each pair of devices and the devices function honestly, 
carrying out the appropriate quantum measurements on 
their singlets and reporting the outcomes as their out- 
puts. However, they also store in memory their inputs 
and outputs. In the second run, Eve supplies a fresh 
batch of singlet pairs. However, she also supplies a hid- 
den classical signal identifying the particular pair of de- 
vices that generated the first secret bit. (This signal need 
go to just one of this pair of devices, and no others.) On 
the second run, the identified device produces as output 
the same output that it produced on the first run (i.e. the 
secret bit generated, up to a sign convention known to 
Eve). All other devices function honestly on the second 
run. 

With probability M ^ N i 1 , the output from the cheating 
device on the second run will be made public, thus reveal- 
ing the first secret bit to Eve. Moreover, with probability 
1 — ^ + 0(N~ 2 ), this cheating will not be detected by 
Alice and Bob's tests, so that Eve learns the first secret 
bit without her cheating even being noticed. 

There are defences against this specific attack. First, 
the BHK protocol [6] can be modified so that only out- 
puts corresponding to inputs differing by ±1 or are 
publicly shared. 5 While this causes Eve to wait many 
rounds for the secret bit to be leaked, and increases the 
risk her cheating will be detected, it leaves the iterated 
protocol insecure. Second, Alice and Bob could securely 
destroy or isolate the devices producing the secret key 
bit outputs, and reuse all their other devices in a second 
implementation. Since only the devices generating the 
secret key bit have information about it, this prevents it 
from being later leaked. While effective, this last defence 
really reflects the inefficiency of the BHK protocol: to il- 
lustrate this, we turn next to a more efficient multi-device 
protocol. 



Attacks on compositions of the HR protocol 

Hanggi and Renner (HR) [ll[ consider a multi-device 
QKD protocol related to the Ekert [2[ protocol, in which 
Alice and Bob randomly and independently choose one of 



5 As originally presented, the BHK protocol requires public ex- 
change of all outputs except those defining the secret key bit. 
This is unnecessary, and makes iterated implementations much 
more vulnerable to the attacks discussed here. 



two or three inputs respectively for each of their devices. 
If the devices are functioning honestly, these correspond 
to measurements of a shared singlet in the bases Uq,U\ 
(Alice) and Vq, V\, Va (Bob), defined by the following vec- 
tors and their orthogonal complements 

Ui o |0), 

V O cos(tt/8)|0) +sin(7r/8)|l) , 

U ,V 2 <-> cos(7r/4)|0)+sin(7r/4)|l), 

Vi <-> cos(3tt/8)|0) + sin(37r/8)|l) . 

The raw key on any given run is defined by the « 1/6 
of the cases in which Uq and V% are chosen. Information 
reconciliation and privacy amplification proceed accord- 
ing to protocols of the type described in the main text 
(in which the functions used are released publicly). 

Evidently, our attacks apply here too if (unauthorised 
by HR) the devices are reused to generate further secret 
keys. Eve can identify the devices that generate the raw 
key on day 1, and request them to release their key as 
cheating outputs on later days, gradually enough that the 
cheating will be lost in the noise. Since the information 
reconciliation and privacy amplification functions were 
made public by Alice, she can then obtain the secret key. 
Even if she is unable to communicate directly with the 
devices for a long time (because they were pre-installed 
with a very large reservoir of singlets), she can program 
all devices to gradually release their day 1 outputs over 
subsequent days, and so can still deduce the raw and 
secret keys. 

Alice and Bob could counter these attacks by securely 
destroying or isolating all the devices that generated raw 
key on day 1 — but this costs them 1/6 of their devices, 
and they have to apply this strategy each time they gen- 
erate a key, leaving (5/6) N of the devices after N runs, 
and leaving them able to generate shorter and shorter 
keys. As the length of secure key generated scales by 
(5/6) N (or worse, allowing for fluctuations due to noise) 
on each run, the total secret key generated is bounded 
by ss 6M, where M is the secret key length generated on 
day 1. 

Note that, as in the case of the iterated BHK proto- 
col, all devices that generate secret key become toxic and 
cannot be reused. While the relative efficiency of the HR 
protocol ensures a (much) faster secret key rate, it also 
requires an equally fast device depletion rate. This ex- 
ample shows that our attacks pose a generic problem for 
device-independent QKD protocols of the types consid- 
ered to date. 



Appendix E: Device-independent randomness 
expansion protocols: attacks and defences 

Device-independent quantum randomness expansion 
(DVI QRE) protocols were introduced by two of us [H, 
[l5| , developed further by 0, l35l - [37| , and there now ex- 
ist schemes with unconditional security proofs [36j . The 
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cryptographic scenario here is slightly different from that 
of key distribution in that there is only one honest party, 
Alice. 

Alice's aim is to expand an initial secret random string 
to a longer one that is guaranteed secret from an eaves- 
dropper, Eve, even if the quantum devices and states 
used are supplied by Eve. The essential idea is that seed 
randomness can be used to carry out nonlocality tests on 
the devices and states, within one or more secure labora- 
tories, in a way that guarantees (with numerical bounds) 
that the outcomes generate a partially secret and ran- 
dom string. Privacy amplification can then be used to 
generate an essentially fully secret random string, which 
(provided the tests are passed) is significantly longer than 
the initial seed. 

There are already known pitfalls in designing such pro- 
tocols. For example, although one might think that car- 
rying out a protocol in a single secure laboratory guaran- 
tees that the initially secure seed string remains secure, 
and so guarantees randomness expansion if any new se- 
cret random data is generated, this is not the case fl5j . 
Eve's devices may be programmed to produce outputs de- 
pending on the random seed in such a way that the length 
of the final secret random string depends on the initial 
seed. Protocols with this vulnerability are not compos- 
ably secure. (To see this can be a practical problem, note 
that Eve may infer the length of the generated secret ran- 
dom string from its use.) 

A corollary of our results is that, if one wants to reuse 
the devices to generate further randomness, it is crucial 
to carry out DVI QRE protocols with devices perma- 
nently held within a single secure laboratory, avoiding 
any public communication of device output data at any 
stage. It is crucial too that the devices themselves are se- 
curely isolated from classical communications and com- 
putations within the laboratory, to prevent them from 
learning details of the reconciliation and privacy amplifi- 
cation. 

Even under these stringent conditions, our attacks still 
apply in principle. For example, consider a noise-tolerant 
protocol that produces a secret random output string of 
variable length, depending on the values of test functions 
of the device outputs (the analogue of QKD parameter 
estimation for QRE) that measure how far the device 
outputs deviate from ideal honest outputs. This might 
seem natural for any single run, since - if the devices are 
never reused - the length of the provably secret random 
string that can be generated does indeed depend on the 
value of a suitable test function. However, iterating such 



a protocol allows the devices to leak information about 
(at least) their raw outputs on the first run by generating 
artificial noise in later rounds, with the level of extra 
noise chosen to depend suitably on the output values. 
Such noise statistically affects the length of the output 
random strings on later rounds. 

In this way, suitably programmed devices could ulti- 
mately allow Eve to infer all the raw outputs from the 
first round, given observation of the key string lengths 
created in later rounds. This makes the round one QRE 
insecure, since given the raw outputs for round one, and 
knowing the protocol, Eve knows all information about 
the output random string for round one, except that de- 
termined by the secret random seed. 

One defence against this would be to fix a length L for 
the random string generated corresponding to a maxi- 
mum acceptable noise level, and then to employ the Pro- 
crustean tactic of always reducing the string generated 
to length L, regardless of the measured noise level. 

Even then, though, unless some restriction is placed on 
the number of uses, the abort attack on QKD protocols 
described in the main text also applies here. The devices 
have the power to cause the protocol to abort on any 
round of their choice, and so - if she is willing to wait 
long enough - Eve can program them to communicate 
any or all information about their round 1 raw outputs 
by choosing the round on which they cause an abort. 

We also described in the main text a moderately costly 
but apparently effective defence against abort attacks 
on QKD protocols, in which Alice and Bob each have 
several isolated devices that independently generate raw 
sub-keys, which are concatenated and privacy ampli- 
fied so that exposing a single sub-key does not signifi- 
cantly compromise the final secret key. This defence ap- 
pears equally effective against abort attacks on device- 
independent quantum randomness expansion protocols. 
Since quantum randomness expansion generally involves 
only a single party, these protocols are not vulnerable to 
the impostor attacks described in the main text. It thus 
appears that it may be possible in principle to completely 
defend them against memory attacks, albeit at some cost. 

It is also worth noting that there are many scenar- 
ios in which one only needs short-lived randomness, for 
example, in many gambling applications, bets are often 
placed about random data that are later made public. 
In such scenarios, once such random data have been re- 
vealed, the devices could be reused without our attacks 
presenting any problem. 



